"New features for the control include support for view-source: and data: protocols, plus it ships with the ActiveX plugin so it is possible to host ActiveX content from inside the control. The installer is slightly smaller (4.5Mb) thanks to bzip2 compression.

"There are no new features in the plugin but Mozilla 1.6 is unencumbered by the regression that disabled scripting support in 1.5."

There are plenty of words on security on the plugin page from a technical perspective. Read how many times I talk about activex.js and nsAxSecurityPolicy.js.

However, the default behaviour is to host & script controls marked safe for scripting and to download and offer to install signed controls. All other controls (e.g. those not marked safe) are not hosted. You can change these settings if you like from activex.js which is fully documented. The plugin also honours the IE blacklist as well as allowing you to set up your own blacklist / whitelist.

However, overall I don't think think security is a big deal yet. I'd rather have people exercising the functionality rather than disabling it all by default. I would obviously change the policy if the plugin shipped by default with Firebird / Mozilla. The same thing happened in NS7.1 where the plugin was locked down to host the Windows Media Player control only.

But then again ActiveX security is not what Mozilla users should be worrying about. Ask yourself how many XPI files are signed for example and what a black hat could do with that knowledge if they felt so inclined.

"There are plenty of words on security on the plugin page from a technical perspective. Read how many times I talk about activex.js and nsAxSecurityPolicy.js."

You 'obviously' don't care about security YET... That info is way to hard to locate for the average joe user

"But then again ActiveX security is not what Mozilla users should be worrying about. Ask yourself how many XPI files are signed for example and what a black hat could do with that knowledge if they felt so inclined."

Oh perfect, this one is new to me. Hey, I'm not questioning your work, nor should you have to worry about work of add-on/extension writers like me. This is all about evil ActiveX code out on the internet that can harm you anytime.

Security IS a real issue, especially ActiveX related features.

"I would obviously change the policy if the plugin shipped by default with Firebird / Mozilla. The same thing happened in NS7.1 where the plugin was locked down to host the Windows Media Player control only."

Why is that obviously? Why was that done? Remember, we don't have to worry about security, right?

Again, security IS a key factor, at least for me it is, and I'm sure for a lot more other people too.

It's pretty straightforward - the plugin is used a miniscule fraction of Mozilla users who explicitly want ActiveX support and go to my website and install it. And of those I expect most if not all of them are developers or one kind or another.

Even so, the plugin ships with a reasonable set of security flags (equivalent to Medium in IE) that allow safe for scripting controls and control download & install with signing. The user is prompted by the usual signature checking dialogs during installation. The flags do not allow unsafe controls to run and any controls blacklisted by IE are also excluded. If you don't like these settings, don't install the plugin or change the flags. I'm glad the page is intimidating because I don't care about (or get paid) to support normal users. At this stage I am interested in developer feedback, bug reports etc.

If the plugin ships by default in Mozilla and becomes a 'consumer' distribution the settings will tighten to reflect that. But not until that happens.

A hacker would find it much easier to ship a malacious .xpi or plugin. How hard would it be to write an extension that replaced a DLL, installed a backdoor or submited the wallet data to an #irc channel? Not hard at all. What's more, the Firebird Extension site makes it simple to submit the extension and put it within easy reach of hundreds of thousands of people.

And Firebird users habitually install extensions without a seconds thought. So that's what you should be worrying about. Mozilla / Firebird advocates have traditionally complained about how insecure ActiveX is (trust model etc.) and then go and rely on something even worse. I'm surprised a malacious extension hasn't appeared actually. I'm sure there will be a big flap when it does too.

The situation could be immediately improved if Mozilla mandated signed XPI files. Better yet if certs were easier to get. For example Mozilla.org could hand out certs for a $200 deposit, and would be in an ideal position to revoke them as fast if need be.

"A hacker would find it much easier to ship a malacious .xpi or plugin. How hard would it be to write an extension that replaced a DLL, installed a backdoor or submited the wallet data to an #irc channel? Not hard at all. What's more, the Firebird Extension site makes it simple to submit the extension and put it within easy reach of hundreds of thousands of people."

True, that would be very easy...

"I'm surprised a malacious extension hasn't appeared actually. I'm sure there will be a big flap when it does too."

I believe none of the mozdev.org developers will ever do that, but we can't be sure of that, and not every project is hosted on mozdev.org. Thanks God for that. I think this might become a bigger problem when more people start using mozilla as their browser of choice.

Again, this is something we should start worry about now, not when it's already to late...

Thanks for sharing your point of view. We're off topic but this is very important.

I'm experiencing exactly the same problem ericdere described with ( Mozilla Firebird 0.7german ). I first installed the Flash Plugin ( 7,0,19,0 ) and it worked perfectly fine. But after installing the latest version of the Active-X Plugin ( post 19/01/2004 ) Adam offers the Links in Flash-Animations stopped working. Removin the npxxx.dll file of the Active-X Plugin from the Plugins-Folder the Flash Plugin worked fine again. I don't know too much about this software, but well this thread started with this question and i think there hasn't been a real answer to it yet ( which will change soon hopefully :)

I have submitted an ehnancement bug report to the NSS project to add a new option to signtool that would create valid signed XPI's. Please view the bug report and give your support for the enhancement. Even if the patch isn't from me, we need it. In a world of security and no trust it's hard to get non-techies to use Mozilla as it is and even harder to get some of them to install anything that's not trusted.